Fix use-after-free in BrowserActionView::~BrowserActionView()

BrowserActionView::~BrowserActionView deletes ExtensionActionViewController,
which calls CleanupPopup, which resets a MenuButton::PressedLock, which was
already deleted. Fix the order of destruction.

BUG=418737

Review URL: https://codereview.chromium.org/615543006

Cr-Commit-Position: refs/heads/master@{#297325}

chrome/browser/ui/views/toolbar/browser_action_view.h

@@ -169,6 +169,12 @@ class BrowserActionView : public views::MenuButton,
   virtual void OnPopupShown(bool grant_tab_permissions) OVERRIDE;
   virtual void CleanupPopup() OVERRIDE;
 
+  // A lock to keep the MenuButton pressed when a menu or popup is visible.
+  // This needs to be destroyed after |view_controller_|, because
+  // |view_controller_|'s destructor can call CleanupPopup(), which uses this
+  // object.
+  scoped_ptr<views::MenuButton::PressedLock> pressed_lock_;
+
   // The controller for this ExtensionAction view.
   scoped_ptr<ExtensionActionViewController> view_controller_;
 
@@ -184,9 +190,6 @@ class BrowserActionView : public views::MenuButton,
   // updated.
   IconObserver* icon_observer_;
 
-  // A lock to keep the MenuButton pressed when a menu or popup is visible.
-  scoped_ptr<views::MenuButton::PressedLock> pressed_lock_;
-
   DISALLOW_COPY_AND_ASSIGN(BrowserActionView);
 };